#DESC SE Linux User Manager (seuser)
#DEPENDS checkpolicy.te load_policy.te
#
# Authors:   don.patterson@tresys.com, mayerf@tresys.com
# Additions: wsalamon@tislabs.com, dac@tresys.com

#

#################################
#
# Rules for the seuser_t domain.
#
# seuser_t is the domain of the seuser application when it is executed.
# seuser_conf_t is the type of the seuser configuration file.
# seuser_exec_t is the type of the seuser executable.
# seuser_tmp_t is the type of the temporary file(s) created by seuser.
# 
##############################################
# Define types, and typical rules including
# access to execute and transition
##############################################

# Defined seuser types
type seuser_t, domain, privhome  ;
type seuser_conf_t, file_type, sysadmfile ;
type seuser_exec_t, file_type, sysadmfile, exec_type ;
tmp_domain(seuser)

# Authorize roles
role sysadm_r types seuser_t ;

# Allow sysadm_t to run with privilege
domain_auto_trans(sysadm_t, seuser_exec_t, seuser_t)

# Grant the new domain permissions to many common operations
# FIX: Should be more resticted than this.
#every_domain(seuser_t)
allow seuser_t self:process { fork sigchld };
allow seuser_t self:fifo_file read;
allow seuser_t self:unix_stream_socket {create connect};
allow seuser_t self:dir search;
allow seuser_t self:file { read getattr };

allow seuser_t etc_t:dir search;
allow seuser_t etc_t:{lnk_file file} { read getattr};
read_locale(seuser_t)
allow seuser_t { var_run_t var_t}:dir search;

uses_shlib(seuser_t)

allow seuser_t devtty_t:chr_file {read write };
allow seuser_t proc_t:dir search;
allow seuser_t proc_t:{lnk_file file} { getattr read };

allow seuser_t root_t:dir search;
allow seuser_t staff_home_dir_t:dir search;
allow seuser_t home_root_t:dir { getattr search };
allow seuser_t staff_home_dir_t:dir getattr;
allow seuser_t default_t:file {read getattr};

allow seuser_t bin_t:dir { getattr search read} ;
allow seuser_t bin_t:lnk_file { read getattr };
allow seuser_t sbin_t:dir search;

# Inherit and use descriptors from login.
allow seuser_t privfd:fd use;

###############################################

# Use capabilities to self
allow seuser_t self:capability { dac_override setuid setgid } ;

# Grant the seuser domain ability to change passwords for a user.
allow seuser_t self:passwd { passwd chfn chsh } ;

# Read permissions for seuser.conf file
allow seuser_t seuser_conf_t:file r_file_perms ;


###################################################################
# Policy section: Define the ability to change and load policies
###################################################################

# seuser_t domain needs to transition to the checkpolicy and loadpolicy 
# domains in order to install and load new policies.
domain_auto_trans(seuser_t, checkpolicy_exec_t, checkpolicy_t)
domain_auto_trans(seuser_t, load_policy_exec_t, load_policy_t)

# allow load_policy and checkpolicy domains access to seuser_tmp_t
# files in order for their stdout/stderr able to be put into
# seuser's tmp files.
#
# Since both these domains carefully try to limit where the
# assoicated program can read from, we won't use the standard
# rw_file_perm macro, but instead only grant the minimum needed
# to redirect output, write and getattr.
allow checkpolicy_t seuser_tmp_t:file { getattr write } ;
allow load_policy_t seuser_tmp_t:file { getattr write } ;
allow useradd_t seuser_tmp_t:file { getattr write } ;


# FIX:  Temporarily allow seuser_t permissions for executing programs with a 
# bint_t type without changing domains. We have to give seuser_t the following 
# access because we use the policy make process to build new plicy.conf files. 
# At some point, a new policy management infrastructure should remove the ability 
# to modify policy source files with arbitrary progams
#
can_exec(seuser_t, bin_t)
can_exec(seuser_t, shell_exec_t)


# Read/write permission to the login context files in /etc/security
allow seuser_t login_contexts:file create_file_perms ;

# Read/write permission to the policy source and its' directory
allow seuser_t policy_src_t:dir create_dir_perms ;
allow seuser_t policy_src_t:file create_file_perms ;

# Allow search and stat for policy_config_t
allow seuser_t policy_config_t:dir { search getattr } ;
allow seuser_t policy_config_t:file stat_file_perms;


#ifdef(`xserver.te', `
############################################################
# Xserver section - To support our GUI interface, 
############################################################
# Permission to create files in /tmp/.X11-Unix
#allow seuser_t sysadm_xserver_tmp_t:dir search ;
#allow seuser_t sysadm_xserver_tmp_t:sock_file write ;
#allow seuser_t user_xserver_tmp_t:dir search ;
#allow seuser_t user_xserver_tmp_t:sock_file write ;

# Permission to establish a Unix stream connection to X server
#can_unix_connect(seuser_t, user_xserver_t)
#can_unix_connect(seuser_t, sysadm_xserver_t)
#')
ifdef(`xdm.te', `
can_unix_connect(seuser_t, xdm_xserver_t)
')

# seuser_t domain needs execute access to the library files so that it can run.
can_exec(seuser_t, lib_t)

# Access ttys
allow seuser_t sysadm_tty_device_t:chr_file rw_file_perms ;
allow seuser_t sysadm_devpts_t:chr_file rw_file_perms ;